JavaScript is not available.

"This indicates an attack attempt to exploit a Buffer Overflow Vulnerability in Microsoft SMB Servers." Source: fortiguard.com/encyclopedia/i

4

21

51

"Created: today Updated: yesterday Severity: maximum" What's going on? 🤔

4

48

People started to ask, so adding it here too to get more visibility: "how to disable SMBv3 compression"?

3

6

26

Can it get more strange than this? 🤔

3

4

31

You know

, for MS, "quality standards" are gone from some years ago already...

2

30

You know how great is that there is recommendation to disable SMBv3 compression, but to find out how to do that people has to reverse files? 😫

5

31

75

Some people wants to be cool and name it with including the word "corona" in it. We recommend to use SMBGhost name for it - SMB is obviously for what, Ghost because "it not exists".

6

15

58

Thanks

.

1

11

Took them some time, but at least finally MS wrote about it too: portal.msrc.microsoft.com/en-US/security "Publicly Disclosed: No Exploited: No" 🤔 Also: "Severity: Critical".

1

9

21

Also, finally they revealed the "official way" to disable SMBv3 compression:

2

11

21

This. Just use the CVE ID, or if you want name, use the SMBGhost one and that's it...

1

3

14

Interesting that the MITRE details page (cve.mitre.org/cgi-bin/cvenam) is still the same as yesterday (twitter.com/malwrhuntertea), when even MS already wrote officially about it (twitter.com/malwrhuntertea)...

Quote Tweet

Took them some time, but at least finally MS wrote about it too: portal.msrc.microsoft.com/en-US/security "Publicly Disclosed: No Exploited: No"

Also: "Severity: Critical".

Show this thread

1

11

Palo Alto also categorizes it as "critical" severity. But at least they have signatures too...

1

14

Screenshot source:

Quote Tweet

Markus Dauberschmidt

@daubsi

Signatures available for CVE-2020-0796... you better gonna patch soon and ramp up your shields

1

11

Also

has some coverage for it already:

2

6

CERT-EU published "Security Advisory 2020-014 - SMBv3 – Critical Remote Code Execution Vulnerability": media.cert.europa.eu/static/Securit Basically currently it's a collection of already public info, workaround, etc...

1

9

16

There is a scanner already made by

@ollypwn

to tell if a server is vulnerable or not: github.com/ollypwn/SMBGho

2

18

33

And seems Windows Defender already can catch some exploit attempts...

1

4

16

MS added an update to their advisory (twitter.com/malwrhuntertea) to clarify that "the vulnerability exists in a new feature that was added to Windows 10 version 1903. Older versions of Windows do not support SMBv3.1.1 compression."

Quote Tweet

Took them some time, but at least finally MS wrote about it too: portal.msrc.microsoft.com/en-US/security "Publicly Disclosed: No Exploited: No"

Also: "Severity: Critical".

Show this thread

1

14

21

And not surprisingly,

@MalwareTechBlog

already made a DoS PoC for the vuln:

Quote Tweet

Kryptos Logic

@kryptoslogic

0:08

Our Telltale research team will be sharing new insights into CVE-2020-0796 soon. Until then, here is a quick DoS PoC our researcher @MalwareTechBlog created. The #SMB bug appears trivial to identify, even without the presence of a patch to analyze. vimeo.com/397149983 @2sec4u

3

4

10

48k vulnerable hosts that are accessible from the internet directly is not a few:

Quote Tweet

Kryptos Logic

@kryptoslogic

We've just finished our first internet wide scan for CVE-2020-0796 and have identified 48000 vulnerable hosts. We'll be loading this data into Telltale for CERTs and organisations to action. We're also working on a blog post with more details (after patch).

3

12

8

MS released a patch: portal.msrc.microsoft.com/en-US/security Now everyone can decide if they want to install it as soon as possible, or wait some time (with workarounds in place, of course) and see if it only patches the vulnerability or makes any problems (you know, we are talking about MS)...

1

5

12

"Update ASAP or use the workaround"

1

3

7

Important details from

@SophosLabs

. And spam is only one way. Think about hacked websites... Or even websites only created for this purpose, then linked to in different places. But of course, first a working exploit is needed...

1

4

5